In all of this, data protection will continue to include the destruction of documents. A medical practice or hospital transmitting encrypted records, and using password-protected computers and laptops, must also destroy documents so that if there’s an office break-in, the information remains safe, Hertzberg says. With document destruction, a lot of problems go away.

Still, according to Hertzberg, unlike the bygone era of paper records, many more parties share the burden of responsibility for protecting information, whether at rest or in transmission. That’s because HIPAA requirements were updated in 2013 via the Final Omnibus Rule to expand security requirements to include business associates, a group that includes data storage and cloud service providers.

The resulting atmosphere of increasing liability requires open communication. “One of the worst things that can happen in the event of an information breach is that everyone shuts down and stops communicating,” Hertzberg says. “It’s much better for parties doing business together to work out a plan to communicate in advance of something happening. This results in problems being solved much sooner.”

Conducting “a risk assessment” provides an essential first step to making a good faith effort to adhere to HIPAA privacy and security obligations. “Even if there’s already been a security breach, once you assess the risk, you can identify and prioritize risks,” Hertzberg explains. “You can begin to address problems.”

Best practices for handling HIPAA-sensitive data can be found in abundance all over the Internet. Still, Hertzberg qualifies, “I wish government were more clear about exactly what HIPAA compliance actually means. That’s something the government still needs to work on.”

While more clarity is needed, expectations for those who handle personal health information are steep. As Hertzberg explains, the OCR expects protection to extend beyond the grave. That’s because it’s not uncommon for unscrupulous individuals to hijack information from the deceased to obtain medical coverage. In one case, a woman sought treatment for ovarian cancer after forging the identity of a deceased individual. She also eventually died, but not before the insurer paid more than $600,000 in coverage toward her medical bills, Hertzberg says.

Greed, personal advantage or malicious intent are frequently suspected behind security breaches, but often those motives have not been factors, according to Chad Gough, a computer forensics examiner for 4Discovery, a company specializing in digital and mobile forensics. “Until fairly recently, we’ve seen a lot of inadvertent disclosure with people who are taking work home on laptops.”

Laptop risk is fairly easily mitigated with a password and encryption, he adds. One such scenario involved a nurse’s aid completing a spreadsheet at home. It was necessary to determine what other devices, such as her phone, may have been used to download or transmit information. “You don’t generally need a subpoena for something like this because people are cooperating,” Gough says. “But if they don’t cooperate, then you must obtain a motion to compel, which is a judge’s order to cooperate and turn over the information.”

Gough anticipates that the transmission aspect of data now makes protecting it a lot more challenging, especially given the greater numbers of users. Still, he says, he’s not certain if 4Discovery has handled a data-loss event relating to electronic health records.” A malpractice suit involving the obliteration of nurses’ notes might provide an example, but it may be too early to tell, he says. Solving the mystery of who managed to delete the records, however, might shed
light on the status of nurses’ notes as permanent records.

Still other complexities have surfaced in the changing landscape of electronic medical and health records. Gough related the case of two doctors parting ways: One doctor copied patient records to start his own practice. While the records were in the original practice, they were protected by a security server, by passwords and office doors that locked, but when the doctor downloaded information, suddenly the data was no longer encrypted or protected.

“In this case it’s mandatory to notify patients,” Gough says, “and there is cost associated with notification.” Beyond determining which doctor should have rightful access to patient records, there’s the additional burden of deciding who is obligated to pay for informing patients of an information breach, he says. A misuse of data could result in additional liabilities.

The sheer volume of new data brings unwieldiness as well. “If all you’re doing is socking away information, that doesn’t mean you can necessarily get to it,” says Kapetansky of Trexin, pointing to the arrival of big data and the necessity of data marts that enable users to shop for data.

Tapping personal health information is essential to providing better care and reducing cost. As an example, Kapetansky suggests, if a patient would benefit from the latest information about knee-replacement surgery and a healthcare provider wants to relay this, the ability to access health and personal contact information needs to be strong enough to do this. It’s not a matter of pirating data to market an unwanted product, he asserts. “It’s OK if a hospital uses its insights to provide best care. They’re not invading your privacy. They’re just using information they already have to address patient needs.”

Regardless of the many challenges, electronic sharing of health information among healthcare providers and insurers is expected to improve care. If all goes well, the result is a “longitudinal patient record” that contains an individual’s complete medical history, which provides a more comprehensive picture and enables better care. “At best,” says Kapetansky, “this is something on the order of a health history compiled by the old country doctor who’s known you your entire life.”